1. Technical Field
The present invention relates to security analysis of applications, and, more particularly, to static security analysis of applications.
2. Description of the Related Art
Web applications are both widespread and highly popular. However, web applications are often highly vulnerable, as their interactions with users of the web can provide the users with opportunities to insert malicious code in the applications. As such, this potential has led to increasing interest in static security analysis as an effective compile-time means of discovering web vulnerabilities.
Static analysis tools typically leverage existing program analysis techniques. A particularly useful tool is taint analysis, which provides a way of reducing security analysis to a graph reachability problem. Taint analysis is parameterized by a set of security rules, each rule being a triple <Src,San,Snk> denoting: 1) source statements reading untrusted user inputs (Src); 2) downgrader statements endorsing untrusted data by either validating or sanitizing the data (San); and 3) sink statements performing security-sensitive operations (Snk). Given a security rule r, a flow from a source in Src, to a sink in Snkr that does not pass through a downgrader from Sanr comprises a potential vulnerability.
A characteristic of standard taint analysis is that its design assumes a single control flow. Thus, to track the flow of tainted data arising at a source statement, the analysis propagates this data along control-flow edges until reaching a fixpoint.